Document toolboxDocument toolbox

8. Assistance to the Data Controller

  1. The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist
    the Data Controller with appropriate technical and organisational measures, in the fulfilment of
    the Data Controller’s obligations to respond to requests for the exercise of the data subjects’ rights
    pursuant to Chapter 3 of the General Data Protection Regulation.
    This entails that the Data Processor should as far as possible assist the Data Controller in the
    Data Controller’s compliance with:

    1. notification obligation when collecting personal data from the data subject

    2. notification obligation if personal data have not been obtained from the data subject

    3. right of access by the data subject

    4. the right to rectification

    5. the right to erasure (‘the right to be forgotten’)

    6. the right to restrict processing

    7. notification obligation regarding rectification or erasure of personal data or restriction of
      processing

    8. the right to data portability

    9. the right to object

    10. the right to object to the result of automated individual decision-making, including profiling

  2. The Data Processor shall assist the Data Controller in ensuring compliance with the Data
    Controller’s obligations pursuant to Articles 32-36 of the General Data Protection Regulation
    taking into account the nature of the processing and the data made available to the Data
    Processor, cf. Article 28, sub-section 3, para f.
    This entails that the Data Processor should, taking into account the nature of the processing,
    as far as possible assist the Data Controller in the Data Controller’s compliance with:

    1. the obligation to implement appropriate technical and organisational measures to ensure
      a level of security appropriate to the risk associated with the processing

    2. the obligation to report personal data breaches to the supervisory authority (Danish Data
      Protection Agency) without undue delay and, if possible, within 72 hours of the Data
      Controller discovering such breach unless the personal data breach is unlikely to result in
      a risk to the rights and freedoms of natural persons

    3. the obligation – without undue delay - to communicate the personal data breach to the
      data subject when such breach is likely to result in a high risk to the rights and freedoms
      of natural persons

    4. the obligation to carry out a data protection impact assessment if a type of processing is
      likely to result in a high risk to the rights and freedoms of natural persons

    5. the obligation to consult with the supervisory authority (Danish Data Protection Agency)
      prior to processing if a data protection impact assessment shows that the processing will
      lead to high risk in the lack of measures taken by the Data Controller to limit risk

  3. The Parties’ possible regulation/agreement on remuneration etc. for the Data Processor’s
    assistance to the Data Controller shall be specified in the Parties’ ‘Master Agreement’.

 

Need help? Get in touch with us via: https://www.retinalyze.com/contact